1. Container Engine for Kubernetes
  2. OKE Workflow
  3. Administrator Tasks

Administrator Tasks

If you enable the appliance administration network, verify that the administration network and the data center network are configured to allow traffic to and from the cluster control plane. See the following resources:

Create the following resources in the Private Cloud Appliance Compute Enclave:

  • Platform images. Platform images include images required by OKE that have Kubernetes installed on them. Platform images should be imported to all tenancies in the Compute Enclave during appliance installation, upgrade, or patching. If this was not done, a Service Enclave administrator must import images as described in Providing Platform Images in the Oracle Private Cloud Appliance Administrator Guide.

  • A users group that has a policy that authorizes members to use OKE. See Creating and Managing User Groups in the Oracle Private Cloud Appliance User Guide to create a group or update an existing group. Include the manage cluster-family authorization in the policy. The following is an example policy for the OKE user group. Depending on your organization, for example if you have a separate team who manage network resources, some of the following "manage" authorizations could be "read" or "use" authorizations, or you might need to add authorizations. You might need to create more than one user group to authorize OKE work in different compartments. 

    allow group group-name to read all-resources in tenancy
allow group group-name to manage cluster-family in compartment compartment-name
allow group group-name to manage instance-family in compartment compartment-name
allow group group-name to manage virtual-network-family in compartment compartment-name
allow group group-name to manage volume-family in compartment compartment-name

  • The OraclePCA-OKE/cluster_id defined tag.

    This tag is required to create or update an OKE cluster or node pool. This tag also is used to identify instances that need to be in a dynamic group.

    1. Create the OraclePCA-OKE tag namespace.

      In the Resource Tag Management chapter of the Oracle Private Cloud Appliance User Guide, follow the procedure in "Creating a Tag Namespace."

      Important:

      Create the OraclePCA-OKE tag namespace in the tenancy (root) compartment, not in a child compartment of the tenancy.

      In the Create Namespace Definition dialog:

      • Enter "OraclePCA-OKE" for the Name.

      • Enter a description for the tag namespace.

      • Click the Create Namespace Definition button.

        The details page for the OraclePCA-OKE tag namespace is shown.

    2. Create the cluster_id tag key definition in the OraclePCA-OKE tag namespace.

      On the details page for the OraclePCA-OKE tag namespace, click the Create Tag Key Definition button above the list of tag key definitions.

      In the Create Tag Key Definition dialog:

      • Enter "cluster_id" for the Name.

      • Enter a description for the tag key.

      • Ensure that Static Value is selected for the Tag Value Type.

      • Click the Create Tag Key Definition button.

    Important:

    The tag namespace name must be exactly OraclePCA-OKE, and the tag key name must be exactly cluster_id.

    When you create a node pool, or update the node pool to add nodes, this tag is applied to every node to identify instances that need to be members of the dynamic group.

  • A dynamic group to authorize member instances to manage OKE resources. See Creating and Managing Dynamic Groups in the Oracle Private Cloud Appliance User Guide.

    Enter the following matching rule to define the group:

    tag.OraclePCA-OKE.cluster_id.value

    All nodes that have this tag are members of the dynamic group.

  • A policy for the dynamic group. See Managing Policies in the Oracle Private Cloud Appliance User Guide.

    Specify the following rules for the policy:

    allow dynamic-group dynamic-group-name to use instance-family in tenancy
allow dynamic-group dynamic-group-name to use virtual-network-family in tenancy
allow dynamic-group dynamic-group-name to manage load-balancers in tenancy
allow dynamic-group dynamic-group-name to manage volume-family in tenancy
Allow dynamic-group dynamic-group-name to manage file-family in tenancy

After upgrade, patching, or any other outage, or if the automated Certificate Authority bundle update fails, you might want to update the CA bundle manually on the management node. See Updating the Certificate Authority Bundle.

Updating the Certificate Authority Bundle

The Certificate Authority (CA) bundle for this Private Cloud Appliance is downloaded and made available to a cluster when the cluster is created. The CA bundle includes the certificate, private and public keys, and other authorization information.

The CA bundle is automatically updated on the appliance when regular certificate rotation occurs or when the appliance is upgraded, for example.

When the CA bundle is updated on the appliance, then it must be updated on the local system, for example to enable use of cluster-api. This is similar to replacing the CA bundle in your ~/.oci configuration so that you can run OCI CLI commands.

A process runs every hour to check the validity of the CA bundle and updates the CA bundle if necessary.

If you need to update the CA bundle between these hourly checks, the process can be run manually:

  1. Log onto the management node of the Private Cloud Appliance as a system administrator with root privilege.

  2. Get the name of an OKE pod.

    The following command lists the three OKE pods in the oke namespace: 

    # kubectl get pod -n oke -l app=oke

  3. Run the command to update the CA bundle.

    Use one of the oke-uniqueID pod names from the preceding step. 

    # kubectl exec -it oke-6c4d85d6f-72fxs -n oke -c oke -- /usr/bin/pca-oke-cluster-tool

You can check Loki logs in Grafana for any errors that might have occurred when this process ran either automatically or manually. See "Accessing System Logs" in the Status and Health Monitoring chapter of the Oracle Private Cloud Appliance Administrator Guide.